[websec] Issue 55 - Key pinning should clarify that the newest pinning information takes precedence
"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Tue, 05 March 2013 00:58 UTC
Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7213921F88E2 for <websec@ietfa.amsl.com>; Mon, 4 Mar 2013 16:58:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.134
X-Spam-Level:
X-Spam-Status: No, score=-2.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QddmINvZMG3r for <websec@ietfa.amsl.com>; Mon, 4 Mar 2013 16:58:05 -0800 (PST)
Received: from homiemail-a65.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id C019221F88A0 for <websec@ietf.org>; Mon, 4 Mar 2013 16:57:57 -0800 (PST)
Received: from homiemail-a65.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a65.g.dreamhost.com (Postfix) with ESMTP id E91957E405D for <websec@ietf.org>; Mon, 4 Mar 2013 16:57:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :date:subject:from:to:reply-to:mime-version:content-type: content-transfer-encoding; s=sleevi.com; bh=+4YD0RWcYH5CS9xm+5kN EeKJUnc=; b=ibRoQ+/fBihugHXd7jamdPcW+tvwLBFl3xr7FczNN3447Zs4Ns8i Hdf/oa0400uTd8+LUcvHLuM2jkuXP38BB2M8y71f7Zc83+N5zr/AygBUp6gmQs+K JvQwNwMqJ+WUNAU48R1poph3sMbixTph+x01p/eSg5R3E7on6eFVPew=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a65.g.dreamhost.com (Postfix) with ESMTPA id E64EF7E4058 for <websec@ietf.org>; Mon, 4 Mar 2013 16:57:56 -0800 (PST)
Received: from 216.239.45.93 (proxying for 216.239.45.93) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Mon, 4 Mar 2013 16:57:56 -0800
Message-ID: <b6009964af0dae16c45619eb94c0f0e9.squirrel@webmail.dreamhost.com>
Date: Mon, 04 Mar 2013 16:57:56 -0800
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: websec@ietf.org
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [websec] Issue 55 - Key pinning should clarify that the newest pinning information takes precedence
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 00:58:05 -0000
This was raised with http://trac.tools.ietf.org/wg/websec/trac/ticket/55 , as a concern about the interaction between static/preloaded pin entries and those that were noted later (eg: through the observation of the header) In draft-04, Section 2.7 http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04#section-2.7 addresses this by indicating that UAs MUST use the newest information available. Note: This does not normatively describe how a UA must determine newest. The assumption here is that this represents the "newest observed", but the question is whether or not that should be explicitly specified. For example, imagine a UA that supports automatic updates to Preloaded Pin Lists. One interpretation of "newest information" would be to look at the most recent update to the preloaded pin list as a whole. Another interpretation of "newest information" may be to look at the date/time that the entry was originally added/updated in the "preloaded pin list". Imagine this UA had a preload for Site 1 to a set of pins, with the preload created at T=0. Later, at T=5, it observes a Max-Age of 0, effectively unpinning the host. At T=10, the UA vendor ships a new update to the preloaded pin list that adds Site 2, but which has not been updated to unpin Site 1. Under the first interpretation of "newest information", Site 1 would be "reactivated", by virtue of observing an update to the preloaded pin list. Under the second interpretation, Site 1 would remain unpinned. The authors belief is that the issues that arise from either implementations are artifacts of the implementation and distribution of preloaded pins, rather than an issue intrinsic to this specification. That is, the "correct" answer is that the preloaded pin list should be updated for Site 1 - however that information is distributed between the site operator and the creator of the preloaded pin list. Are there concerns with this interpretation, or can we close out Issue 55?